Explainable Analysis of Security Information and Event Management (SIEM) Event Logs for Event Profiling and Preliminary Triage
Main Article Content
Abstract
ABSTRACT - Security Information and Event Management (SIEM) systems generate large volumes of heterogeneous event logs, imposing substantial investigation workloads on Security Operations Centers(SOCs). This study proposes an explainable framework for SIEM event analysis and preliminary triage that emphasizes interpretability and operational applicability without requiring labeled training data. The framework integrates descriptive and temporal analysis, structural association analysis using Spearman correlation, K-means clustering with TF-IDF features to construct interpretable event profiles, and explainable triage scoring based on standard SIEM indicators (severity, priority, confidence, aggregated counts). Experimental evaluation using operational SIEM logs (n=3,490 events) demonstrates 93.8% workload reduction while retaining 98.97% of high-severity events. Validation with labeled attack data (489 SQL injection attempts, 301 bruteforce attacks) achieves 98.2% detection rate (776/790 attacks correctly prioritized) with only 1.8% false negatives, substantially outperforming severity-only (78.5%) and severity+priority (89.1%) baselines. The results confirm that unsupervised event profiling combined with explainable triage scoring effectively distinguishes genuine security incidents from routine monitoring events. The framework provides a practical, transparent analytical baseline for SOCs environments that supports analyst decision-making under realistic operational constraints.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
I/we certify that I/we have participated sufficiently in the intellectual content, conception and design of this work or the analysis and interpretation of the data (when applicable), as well as the writing of the manuscript, to take public responsibility for it and have agreed to have my/our name listed as a contributor. I/we believe the manuscript represents valid work. Neither this manuscript nor one with substantially similar content under my/our authorship has been published or is being considered for publication elsewhere, except as described in the covering letter. I/we certify that all the data collected during the study is presented in this manuscript and no data from the study has been or will be published separately. I/we attest that, if requested by the editors, I/we will provide the data/information or will cooperate fully in obtaining and providing the data/information on which the manuscript is based, for examination by the editors or their assignees. Financial interests, direct or indirect, that exist or may be perceived to exist for individual contributors in connection with the content of this paper have been disclosed in the cover letter. Sources of outside support of the project are named in the cover letter.
I/We hereby transfer(s), assign(s), or otherwise convey(s) all copyright ownership, including any and all rights incidental thereto, exclusively to the Journal, in the event that such work is published by the Journal. The Journal shall own the work, including 1) copyright; 2) the right to grant permission to republish the article in whole or in part, with or without fee; 3) the right to produce preprints or reprints and translate into languages other than English for sale or free distribution; and 4) the right to republish the work in a collection of articles in any other mechanical or electronic format.
We give the rights to the corresponding author to make necessary changes as per the request of the journal, do the rest of the correspondence on our behalf and he/she will act as the guarantor for the manuscript on our behalf.
All persons who have made substantial contributions to the work reported in the manuscript, but who are not contributors, are named in the Acknowledgment and have given me/us their written permission to be named. If I/we do not include an Acknowledgment that means I/we have not received substantial contributions from non-contributors and no contributor has been omitted.
References
G. González-Granadillo, S. González-Zarzosa, and R. Diaz, “Security Information and Event Management (SIEM): Analysis, trends, and usage in critical infrastructures,” Sensors, vol. 21, no. 14, Art. no. 4759, 2021, doi: 10.3390/s21144759.
S. Tariq, M. B. Chhetri, S. Nepal, and C. Paris, “Alert fatigue in security operations centres: Research challenges and opportunities,” ACM Computing Surveys, vol. 57, no. 9, Art. no. 224, 2025, doi: 10.1145/3723158.
R. Guidotti et al., “A survey of methods for explaining black box models,” ACM Computing Surveys, vol. 51, no. 5, Art. no. 93, 2018, doi: 10.1145/3236009.
J. Gama, I. Žliobaitė, A. Bifet, M. Pechenizkiy, and A. Bouchachia, “A survey on concept drift adaptation,” ACM Computing Surveys, vol. 46, no. 4, Art. no. 44, 2014, doi: 10.1145/2523813.
N. Tendikov et al., “Security Information Event Management data acquisition and analysis methods with machine learning principles,” Results in Engineering, vol. 22, Art. no. 102254, 2024, doi: 10.1016/j.rineng.2024.102254.
G. Salton and C. Buckley, “Term-weighting approaches in automatic text retrieval,” Information Processing & Management, vol. 24, no. 5, pp. 513–523, 1988, doi: 10.1016/0306-4573(88)90021-0.
R. Sommer and V. Paxson, “Outside the closed world: On using machine learning for network intrusion detection,” in Proc. IEEE Symposium on Security and Privacy, 2010, pp. 305–316, doi: 10.1109/SP.2010.25.
K. Scarfone and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication 800-92, National Institute of Standards and Technology, 2006, doi: 10.6028/NIST.SP.800-92.
M. Landauer, F. Skopik, M. Wurzenberger, and A. Rauber, “System log clustering approaches for cyber security applications: A survey,” Computers & Security, vol. 92, Art. no. 101739, 2020, doi: 10.1016/j.cose.2020.101739.
X. Wang et al., “Combating alert fatigue with AlertPro: Context-aware alert prioritization using reinforcement learning for multi-step attack detection,” Computers & Security, vol. 137, Art. no. 103583, 2024, doi: 10.1016/j.cose.2023.103583.
F. Jalalvand, M. B. Chhetri, S. Nepal, and C. Paris, “Alert prioritisation in security operations centres: A systematic survey on criteria and methods,” ACM Computing Surveys, vol. 57, no. 2, Art. no. 42, 2025, doi: 10.1145/3695462.
S. P. Lloyd, “Least squares quantization in PCM,” IEEE Transactions on Information Theory, vol. 28, no. 2, pp. 129–137, 1982, doi: 10.1109/TIT.1982.1056489.
C. Spearman, “The proof and measurement of association between two things,” The American Journal of Psychology, vol. 15, no. 1, pp. 72–101, 1904, doi: 10.2307/1412159.
P. J. Rousseeuw, “Silhouettes: A graphical aid to the interpretation and validation of cluster analysis,” Journal of Computational and Applied Mathematics, vol. 20, pp. 53–65, 1987, doi: 10.1016/0377-0427(87)90125-7.
